Ransomware

Ransomware is malware that can lock a device or encrypt its contents in order to extort money from the owner. In return, operators of the malicious code promise – of course, without any guarantees – to restore access to the affected machine or data.

Ransomware

Ransomware is malware that can lock a device or encrypt its contents in order to extort money from the owner. In return, operators of the malicious code promise – of course, without any guarantees – to restore access to the affected machine or data.

4 min read

4 min read

What is ransomware?

This specific kind of malicious software is used for extortion. When a device is successfully attacked, malware blocks the screen or encrypts data stored on the disk and a ransom demand with payment details is displayed to the victim.

How to recognize ransomware?

If you have been attacked, ransomware will in most cases inform you by displaying a ransom message on your screen, or by adding a text file (message) to the affected folders. Many ransomware families also change the file extension of the encrypted files.

How does ransomware work?

There are multiple techniques used by the ransomware operators:

Diskcoder ransomware encrypts the whole disk and prevents the user from accessing the operating system.

Screen locker blocks the access to the device’s screen.

Crypto-ransomware encrypts data stored on victim’s disk.

PIN locker targets Android devices and change their access codes to lock out their users.

Read more

All the above-mentioned kinds of ransomware demand payment, most often requesting it to be made in bitcoin or some other hard-to-trace cryptocurrency. In return, its operators promise to decrypt the data or restore access to the affected device.

We need to stress that there is no guarantee that cybercriminals will deliver on their side of the bargain (and sometimes are unable to do so, either intentionally or because of incompetent coding). Therefore ESET recommends not paying the sum demanded - at least not before contacting ESET technical support to see what possibilities exist for decryption.

How to stay protected?

Basic rules you should follow to avoid your data being lost:

Back up your data on a regular basis – and keep at least one full backup off-line

Keep all your software – including operating systems – patched and up to date

Brief history

The first documented case of ransomware was in 1989. Called the AIDS Trojan, it was physically distributed through the post via thousands of floppy disks that claimed to contain an interactive database on AIDS and risk factors associated with the disease. When triggered, the malware effectively disabled the user's access to much of the content on the disk.

AIDS Trojan demanded a ransom (or as the ransom note named it, “license payment”) of US $189 to be sent to a post office box in Panama allowing the user to execute the program 365 times. Dr. Joseph Popp was identified as the author; authorities, however, declared him mentally unfit to stand trial.

Recent examples

In May 2017, a ransomware worm detected by ESET as WannaCryptorakaWannaCry spread rapidly, using the exploit EternalBlue leaked from NSA, which exploited a vulnerability in the most popular versions of Windows operating systems. Despite the fact that Microsoft had issued patches for many of the vulnerable OSes more than two months prior to the attack, files and systems of thousands of organizations around the globe fell victim to the malware. Damage it caused was estimated as being billions of dollars.

In June 2017, malware detected by ESET as Diskcoder.C aka Petya started making rounds in Ukraine, but soon burrowed its way out of the country. As it later turned out, it was a well-orchestrated supply-chain attack that misused popular accounting software so as to attack and harm Ukrainian organizations.

However, it got out of hand and by infecting many global companies including Maersk, Merck, Rosneft and FedEx; it caused hundreds of millions of dollars in damages.